SOX 404 requires a security management process to protect against unauthorized access and use within system operations. Sarbanes-Oxley Section 404 also describes security management for disclosure, modification, or interference with system operations.
The Securities and Exchange Commission ruled that the criteria on which management’s evaluation is based must be derived from “a suitable, recognized control framework established by a body or group that has followed due process procedures, including the broad distribution of the framework for public comment.” The SEC points out in the final rules that the COSO Internal Control – Integrated Framework satisfied this requirement of Sarbanes-Oxley section 404.
Sarbanes-Oxley section 404 compliance is an integral component built into Prism’s methodology and SOX 404 software solutions that address all 5 of the categories required for Sarbanes-Oxley (SOX) compliance:
- Monitoring
- Risk Assessment
- Information & Communication
- Control Activities
- Control Environment
|
|
Control Environment creates the foundation for effective internal control and represents the apex of the corporate governance structure. |
Baseline systems and report on all files and applications that those systems support. This allows I.T. to quickly assess the systems and their criticality in the over-all financial reporting structure. Additionally, application and file monitoring assures individuals are only accessing functions and files that are relevant to their job titles.
|
Risk assessment involves the identification and analysis by management of relevant risks to achieve predetermined objectives. Risk assessment may occur at the company level or at the activity level. Assessment of IT risks should include data security, availability and performance analysis.
|
Baseline systems, report on any changes that might pose a risk, and restore the original configuration in needed. It also provides performance analysis based on configurable thresholds. |
Control activities are the policies, procedures and practices that are put into place to ensure the business objectives are achieved and risk mitigation strategies are carried out. IT controls include such things as system software control and security controls.
|
Automated event consolidation, reporting and archival fulfills the requirement for “an automated, replicable process.” Automatic report creation assures that data found in log entries is accurately presented in report form to key stakeholders in the organization. |
COSO states that information is needed at all levels of an organization. However, the identification, management and communication of relevant information represent an ever-increasing challenge to the IT department. At the activity level, the following may be expected:
-
Development and communication of standards to achieve corporate policy objectives
-
Identification and timely communication of information to assist in achieving business objectives
-
Identification and timely reporting of security violations
|
Simplified summary reports on key events are automatically generated for management review. Reports on specific events, i.e. security breaches, can be automatically generated with the supporting details and distributed to compliance officers. |
Monitoring, which covers the oversight of internal control by management through continuous and point-in-time asssessment processes, is becoming increasingly important to IT management. Improving security can reduce the risk of processing unauthorized transactions and generating inaccurate reports, and can ensure a reduction of the availability of key systems if applications and IT infrastructure components have been compromised.
|
Host-based intrusion detection and event correlation are standard features. Additionally, performance monitoring, including CPU, memory and application usage monitoring at use-defined levels can provide early warnings of such things as DOS attaches. Baseline reporting and change detection can assure changes to financial reporting systems are detected. |
- User Logoff report - Sec 302 (a)(4)(C) and (D) state that user accesses to the system be recorded and monitored for possible abuse.
- User Logon report - Sec 302 (a)(4)(C) and (D) state that user accesses to the system be recorded and monitored for possible abuse.
- Logon Failure report - The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.
- Audit Logs access report - Sec 302 (a)(4)(C) and (D) - review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.
- Security Log Archiving Utility - Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.
- Track Account management changes - Significant changes in the internal controls sec 302 (a)(6). Changes in the security configuration settings such as adding or removing a user account to an administrative group. These changes can be tracked by analyzing event logs.
- Track Audit policy changes - Comply with internal controls sec 302 (a)(5) by tracking the event logs for any changes in the security audit policy.
- Track individual user actions - Comply with internal controls sec 302 (a)(5) by auditing user activity.
- Track application access - Comply with internal controls sec 302 (a)(5) by tracking application process.
- Track directory / file access - Comply with internal controls sec 302 (a)(5) for any access violation.
